The Internet of Things will bring many benefits, but it’s also creating a security nightmare for which few are prepared.
The horror stories have already started.
The baby monitors transmitting a live feed onto the internet for all to see — and the smart teddy bear that could be hijacked. The car that allows hackers to take control of systems remotely. The power grid knocked offline by attackers accessing industrial control systems.
The rise of the Internet of Things (IoT) will bring with it huge benefits to businesses and consumers, but right now it is also creating a security nightmare.
“There isn’t any category of devices that has not been hacked to some degree: we’re talking anything from lightbulbs to nuclear power stations. As soon as you connect something to the internet then it’s hackable and it’s a target,” says Duncan Brown, research director at analyst firm IDC.
As sensors and connectivity have become cheaper, it has become more viable to add them to a far wider range of devices than ever before. So the ‘things’ in the IoT can range from consumer goods like baby monitors, thermostats and cars through to industrial systems.
There are plenty of good reasons to connect such devices to the internet: a connected thermostat allows you to warm up the house before you get home, while a factory could reduce downtime if sensors warn that a critical machine is about to overheat.
The number of things being attached to the internet is vast: one estimate is that there will be 6.4 billion connected things in use worldwide in 2016, with more than five million new devices being added every day. That number could reach 20 billion (or 40, or 50 billion, depending on who you are talking to) by 2020.
But connecting them also introduces new risks. For consumers there is a risk to privacy as these devices will record vast amounts of data about their daily lives that could be pieced together to create a deeply intimate portrait of their existence. For businesses, each of these new devices is a potential gateway into their network for hackers to exploit, and potentially allow them access to not just data but also the controls to physical systems where they could do real damage.
Recently the US Director of National Intelligence James Clapper warned of the risks of the IoT to data privacy, data integrity, or continuity of service and said: “Devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US government systems.”
And to compound the problem, security has not until now been seen as a key consideration for many of these devices.
Consider how much difficulty organisations have in keeping their own IT infrastructure secure from attack. Now make that network 100 or 1,000 times bigger, formed out of devices they may never see, or touch, or own, collecting incredibly sensitive data.
All of this has got security professionals worried as the IoT offers a vast new surface area for them to try to defend, with plenty of opportunities for hackers to cause mischief — a security arena that’s both physical and digital.
“It’s absolutely not theoretical — it’s happening all of the time. It’s not any more difficult to hack a wi-fi-enabled lightbulb or fridge or microwave than it is to hack a PC. And in fact in many cases it’s orders of magnitude easier because they are less sophisticated and nobody has built antivirus for fridges yet,” says Brown.
New devices, new security headaches
Part of the reason for the security headache is down to the two paths along which the IoT has evolved.
There are the entirely new categories of devices, such as those for the smart home or connected cities, where there’s a lag between innovation and security: new products are built to test an idea, and security takes a back seat.
The other way the IoT is emerging is by connecting up existing systems, such as factory production lines. These might have been designed even before the internet existed, so secure remote access was never considered an issue, with the result that “you’ve got this retrofit problem,” says Brown.
Some IoT security issues are the same as those facing existing IT infrastructure, while others are new.
External hackers and traditional issues like data theft remain the biggest security worry, but the IoT will introduce new threats too: the rise of a black market that will sell fake sensor data, for example, or gangs threatening denial-of-service attacks against IoT networks — or even ‘denial of sleep’ attacks where hackers drain the batteries on devices by not letting them power down.
IoT devices potentially give hackers access to incredibly sensitive systems, both large and small (from power stations to pacemakers). Less dramatic, but still serious, issues surrounding privacy mean that organisations must take on-board rapidly changing security implications, and begin to address them. This adds a level of complexity to the security landscape that’s unfamiliar to most IT and business leaders.
“The IoT has enormous potential to collect continuous data about our environment. The integrity of this data will be important in making personal and business decisions, frommedical diagnoses to environmental protection, from commands to modify actions of machinery to identification and authorization of physical access,” said Ted Friedman, vice president at analyst firm Gartner.
According to Gartner, IoT security will account for 20 percent of annual security budgets by 2020 — up from less than one percent in 2015. All of this means that organisations need to come up with a new approach to security.
“IoT is not a security discipline on its own. IoT security builds on on-premises and cloud security principles and extends them to a new level of data analytics, device complexity, and human interaction,” notes analyst Forrester in its Secure IoT As It Advances Through Maturity Phases report.
Forrester adds: “A wider range of technologies working in a less controlled environment will lead to the highest level of security complexity we’ve ever seen. The heterogeneity of subsystems used to build the IoT ecosystem is a security nightmare for developers, and it will introduce vast software and hardware security risks in enterprise supply chains.”
The type of smart device will determine the level of risk: a smart lightbulb that can be turned on remotely poses less threat to privacy or data protection than a home automation system (which could lock or unlock your front door) or a self-driving car that could be steered off the road.
Indeed, as the devices become more autonomous the risk level is likely to rise.
“Purely digital domain security concerns will begin to have real-world physical safety and security concerns, which will raise the minimum bar for security. When human life is at risk, the quality of assurance needed skyrockets,” warns Forrester.
Most companies are already struggling to manage the security of their existing infrastructure: adding the IoT on top may create impossible challenges unless they change their approach, as Forrester notes: “The tools and techniques needed for lock-down, quarantine, forensics, legal holds, and recovery simply can’t handle these future demands.” This is going to leave enterprise IT professionals in a difficult position.
Cloud security and the IoT
As it is so often in modern IT, the cloud is likely to the be the saviour here.
Infrastructure-as-a-service players are likely to start offering IoT devices management. For example, Microsoft Azure IoT Hub already allows organisations to set up individual identities and credentials for connected devices and revoke them again “to maintain the integrity of your system.” As the IoT gathers steam, such services will have to deal with hundreds of millions of devices.
Securing the data in-transit from the edge of the network will also be essential. Encryption should help ensure privacy and data integrity, but organisations will also require the ability to detect when these remote devices could be used as means of attacking their core network. Again, it’s unlikely that this will be implemented as anything other than a cloud service.
“Adversaries won’t focus exclusively on individual devices; the ultimate target will be the IoT data repositories,” noted Forrester.
The IoT will require the ability to segment the corporate network, and to assume that many of the devices attached to it are at-best vulnerable and at-worst actually a security risk. According to Gartner, discovery, provisioning and authentication services will also make up a significant chunk of spending on IoT security.
But these services will take years to mature — it could be near the end of the decade before they are operating at scale and with the required efficiency level.
Not all of the IoT security headache will be solved by enterprise alone. Some of this will be down the emergence of standards in particular industries — the smart home security standards will be different to the standards around critical national infrastructure, which in turn will be different to those used in the automotive industry — and all will develop at different rates, says IDC’s Brown.
And the devices themselves will have to improve too.
“If the manufacturers don’t move quickly there are going to be some really horrific hacks,” says Brown. “If you are asking people to install antivirus on their televisions that’s just the wrong solution to that problem. The industry will get there, but it will take a long time for security to be built in from the design upwards.”
In the meantime, expect IoT security — or more likely the lack of it — to be making headlines for the next few years at least, said Brown. “In five years time we will be in a better place, but it’s going to be a bumpy ride.”